Over 1,200 Entities Hit by TA571’s Forked IcedID Offensive

Forked IcedID

In recent cyber-espionage activities, Proofpoint researchers have unveiled two malicious campaigns orchestrated by TA571 on 11 and 18 October 2023. Each campaign disseminated over 6,000 deceitful emails, adversely impacting more than 1,200 global customers across diverse sectors.

The emails from these campaigns were artfully disguised as legitimate responses to ongoing threads, a deceptive strategy termed ‘thread hijacking’. These messages carried 404 TDS URLs, which led recipients to download a secured zip archive. Intriguingly, the necessary password to unlock this archive was openly provided in the email itself. Before availing the zip file to a user, a meticulous series of checks were executed to ensure the recipient’s authenticity.

Within this encrypted file lay a seemingly innocuous text document accompanied by a VBS script. However, if activated by an unsuspecting user, this script would trigger the IcedID Forked loader employing regsvr32, eventually downloading the malicious IcedID bot.

The adoption of the Forked IcedID variant in these campaigns stands out due to its rare use in cyberattacks. Initially discovered by Proofpoint in February 2023, this unique variant significantly diverges from the original by omitting its banking features. This deliberate modification suggests a shift in the malware’s use-case from traditional banking fraud to more strategic payload deliveries, potentially prioritizing ransomware.

Central to TA571’s operations is the repeated use of the 404 TDS system. This tool, employed since September 2022, facilitates the malicious redirection of web traffic. Proofpoint’s investigations imply that the 404 TDS system may be accessible to a plethora of threat actors, either through shared use or outright purchase.

TA571, a notorious spam conduit, has garnered attention for delivering multifaceted malware to service its criminal clientele. Proofpoint postulates that TA571’s malevolent activities could culminate in ransomware attacks.

What amplifies the concern regarding TA571 is not just its deployment of the Forked IcedID variant but also its refined modus operandi. TA571 employs intricate filtering mechanisms using intermediate gates. These gates scrutinize traffic based on IPs and geographical parameters, ensuring malware delivery is highly targeted and evade detection by automated systems or cyber researchers.